Merge branch '8.16' into mergify/bp/8.16/pr-6080

Author: benironside

docs/detections/images/boxesVertical.svg

@@ -16,7 +16,7 @@ Follow these guidelines to start using the {security-app}'s <<prebuilt-rules, pr
 
 [NOTE]
 ====
-* Prebuilt rules don't start running by default. You must first install the rules, then enable them. After installation, only a few prebuilt rules will be enabled by default, such as the Endpoint Security rule.
+* Most prebuilt rules don't start running by default. You can use the **Install and enable** option to start running rules as you install them, or first install the rules, then enable them manually. After installation, only a few prebuilt rules will be enabled by default, such as the Endpoint Security rule.
 
 * You can't modify most settings on Elastic prebuilt rules. You can only edit <<rule-notifications, rule actions>> and <<add-exceptions, add exceptions>>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated.
 
@@ -39,16 +39,19 @@ image::images/prebuilt-rules-add-badge.png[The Add Elastic Rules page]
 TIP: To examine the details of a rule before you install it, select the rule name. This opens the rule details flyout.
 
 . Do one of the following:
-* Install all available rules: Click *Install all*.
-* Install a single rule: Click *Install rule* for that rule.
-* Install multiple rules: Select the rules and click *Install _x_ selected rule(s)*.
++
+--
+* Install all available rules: Click *Install all* at the top of the page. (This doesn't enable the rules; you still need to do that manually.)
+* Install a single rule: In the rules table, either click **Install** to install a rule without enabling it, or click image:images/boxesVertical.svg[Vertical boxes button] → **Install and enable** to start running the rule once it's installed.
+* Install multiple rules: Select the rules, and then at the top of the page either click *Install _x_ selected rule(s)* to install without enabling the rules, or click image:images/boxesVertical.svg[Vertical boxes button] → **Install and enable** to install and start running the rules.
+--
 +
 TIP: Use the search bar and *Tags* filter to find the rules you want to install. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <<prebuilt-rule-tags>>.
 +
 [role="screenshot"]
 image::images/prebuilt-rules-add.png[The Add Elastic Rules page]
 
-. Go back to the *Rules* page, search or filter for any rules you want to run, and do either of the following:
+. For any rules you haven't already enabled, go back to the *Rules* page, search or filter for the rules you want to run, and do either of the following:
 
 * Enable a single rule: Turn on the rule's *Enabled* switch.
 * Enable multiple rules: Select the rules, then click *Bulk actions* -> *Enable*.

docs/detections/images/prebuilt-rules-add.png

@@ -14,7 +14,6 @@ Add {elastic-defend}'s <<response-actions,response actions>> to detection rules
 * Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription].
 * Hosts must have {agent} installed with the {elastic-defend} integration.
 * Your user role must have the ability to create detection rules and the privilege to perform <<response-action-commands,specific response actions>> (for example, the **Host Isolation** privilege to isolate hosts).
-* You can only add automated response actions to <<create-custom-rule,custom query>>, <<create-eql-rule,event correlation (EQL)>>, <<create-new-terms-rule,new terms>>, and <<create-esql-rule,{esql}>> type rules.
 --
 
 To add automated response actions to a new or existing rule: